Welcome to the MacNN Forums.

chris v · Dec 11, 2003, 11:59 PM

1. Create a managed user account, and choose to limit this user's access to applications. Turn off (uncheck) access to all web browsers.

2. Log in as this user. try to launch browser-- doesn't work, right? Good. Or so you think.

3. Launch Sherlock or Watson -- either will do. Now, click a web link in any of the tools that offer web links, like ebay or version tracker.

4. Presto -- browser launches.

My 11 Y/O daughter with a managed account, whom I didn't want browsing, figured this out in about ten minutes flat. Glad she decided to be honest.

Feedback time.

CV

ambush · Dec 12, 2003, 12:29 AM

Originally posted by chris v:
1. Create a managed user account, and choose to limit this user's access to applications. Turn off (uncheck) access to all web browsers.

2. Log in as this user. try to launch browser-- doesn't work, right? Good. Or so you think.

3. Launch Sherlock or Watson -- either will do. Now, click a web link in any of the tools that offer web links, like ebay or version tracker.

4. Presto -- browser launches.

My 11 Y/O daughter with a managed account, whom I didn't want browsing, figured this out in about ten minutes flat. Glad she decided to be honest.

Feedback time.

CV

beheh. this is [[NSWorkspace sharedWorkspace] openURL

NSURL *)url];
****. hmm.

chris v · Dec 12, 2003, 12:35 AM

Originally posted by ambush:
beheh. this is [[NSWorkspace sharedWorkspace] openURLNSURL *)url];
****. hmm.

?? I know your're Quebecoise and all, but can you put that in some kind of English? Or even French?

CV

CharlesS · Dec 12, 2003, 01:00 AM

Originally posted by chris v:
?? I know your're Quebecoise and all, but can you put that in some kind of English? Or even French?

CV

He is saying that apparently there is a bug in the -[NSWorkspace openURL:] API, which Safari is possibly using, which is causing it to get around the application restriction.

To see if he's right, you could download my application, Pacifist (link in my sig), and try clicking the "Visit Web Page" button, which I know for a fact uses the aforementioned API, since I wrote it,

and see if you get the same behavior.

If it still occurs, you should probably report this bug to the Cocoa development team at [email protected] so that they can fix it.

Of course, even if this little test turns up positive, there's still the possibility that the bug could be in LaunchServices or some other framework that the Cocoa API is calling functions or methods from...

Boondoggle · 06:12 AM

I posted this problem a while ago. There are a few temporary solutions. What I did was to re-alow safari for the managed user and then set TextEdit as the default browser, then dis-allow it.

What is happening is that if you've got a default browser pref set, the OS will hand off requests to the browser even if the user does not have priveldges to launch it manually.

read all about it:

http://forums.macnn.com/showthread.p...hreadid=190109

Also please please submit feedback on this if you have not already. This needs fixing.

chris v · 08:13 AM

Originally posted by Boondoggle:
I posted this problem a while ago. There are a few temporary solutions. What I did was to re-alow safari for the managed user and then set TextEdit as the default browser, then dis-allow it.

What is happening is that if you've got a default browser pref set, the OS will hand off requests to the browser even if the user does not have priveldges to launch it manually.

read all about it:

http://forums.macnn.com/showthread.p...hreadid=190109

Also please please submit feedback on this if you have not already. This needs fixing.

Feedback submitted. I figured it had something to do with the default browser pref, because I was acutally getting Explorer, not Safari. I'll try your tip, as I'd like to keep her computer on the network so she can print. I suppose I could disable Sherlock and Watson too, but that's getting draconian.

CV

kcmac · Dec 12, 2003, 10:28 AM

chris v,

What else do you use Sherlock or Watson for if not to use the internet? I've always equated these as hybrid browsers. Same with apps like iSeek, etc.

Good find.

chris v · Dec 12, 2003, 11:27 AM

Originally posted by kcmac:
chris v,

What else do you use Sherlock or Watson for if not to use the internet? I've always equated these as hybrid browsers. Same with apps like iSeek, etc.

Good find.

They've got things that are useful by themselves, like the dictionary and thesaurus, stock tracker, recipies, translation, weather, phone book, etc. which never require you to launch a browser to see results, so I wanted to leave them for the kids to use, while disabling browsers, so the kids can't download anything. We had a situation with out-of-control chatting, and a daughter who has figured out how easy it is to download the AIM client after I deleted iChat from her machine.

I reset the default browser to Text Edit, and that fixed the Sherlock problem, though. Might have to do the same thing with email prefs? I'm also curious (haven't had time to check) if you can pass off URLs and email addresses with highlighted text in Services.

CV

chris v · Dec 12, 2003, 11:59 AM

Sure enough, disable mail. Type email address in Text Edit. highlight email address, go Text Edit>Services>Mail>Send To....

Presto, Mail launches.

WTF were they thinking? Not much, I assume.

CV

CharlesS · Dec 12, 2003, 12:28 PM

You know, if you really want to block access to an application, you can do the following:

1. Control-click on the application, and choose Show Package Contents.

2. Navigate to Contents -> MacOS.

You will see a binary executable file inside this folder. Set the permissions so that your daughter does not have "execute" permission. Unfortunately, the Get Info window doesn't let you set the execute bit, so you can either use the Terminal or something like XRay to change it so you have execute permission, but she doesn't.

Since UNIX won't let you launch something if you don't have permission, that should stop the tyke in her tracks.

chris v · Dec 12, 2003, 12:32 PM

Originally posted by CharlesS:
You know, if you really want to block access to an application, you can do the following:

1. Control-click on the application, and choose Show Package Contents.

2. Navigate to Contents -> MacOS.

You will see a binary executable file inside this folder. Set the permissions so that your daughter does not have "execute" permission. Unfortunately, the Get Info window doesn't let you set the execute bit, so you can either use the Terminal or something like XRay to change it so you have execute permission, but she doesn't.

Since UNIX won't let you launch something if you don't have permission, that should stop the tyke in her tracks.

Thanks for the hint, and don't take this as rude, because it's not meant that way, but I use the Mac OS for a reason.

CV

CharlesS · Dec 12, 2003, 12:39 PM

Originally posted by chris v:
Thanks for the hint, and don't take this as rude, because it's not meant that way, but I use the Mac OS for a reason.

CV

If you use XRay, it's pretty easy - XRay is a really nice program.

But if you don't want to do this, that's your option, I guess. It would stop your kids from using the app very well, though, unless they are proficient enough with UNIX to know how to use single-user mode.

Uncle Skeleton · Dec 12, 2003, 12:43 PM

why don't you delete all the browser apps? you said it was her computer right? and if not, move them to an encrypted disk image or something

Boondoggle · Dec 12, 2003, 01:02 PM

all these suggestions are fine, but the reality is that managing users does NOT work the way it should using the apple supplied tools.

It is confusing, unreliable and just plain bad...

chris v · Dec 12, 2003, 03:36 PM

I can handle the short-term workarounds, and I appreciate all the suggestions. The main point of this thread, though was that we have a bug here. I'd like to see it fixed so that these things can work as they're supposed to. For now, the re-setting of the default browser and email client to Text Edit or some non-browsing type app is doing the trick, and no, the kid doesn't know UNIX-- yet. She's curious, though. Can't just delete all the browsers since I still have to admin the machine, and download and install the occasional program and update.

I just want to be able to turn off one user's access to browsers and email and have that work securely, since this is a provided feature in the OS. It's not working the way it should.

CV

diamondsw · Dec 12, 2003, 06:06 PM

Originally posted by Boondoggle:
all these suggestions are fine, but the reality is that managing users does NOT work the way it should using the apple supplied tools.

It is confusing, unreliable and just plain bad...

Let's see a show of hands here for who'd like "At Ease" back. In terms of setting up limitations and simplifying the "Finder", it was great. Excellent for similar applications like kiosks.

Arkham_c · Dec 12, 2003, 07:07 PM

Originally posted by chris v:
I can handle the short-term workarounds, and I appreciate all the suggestions. The main point of this thread, though was that we have a bug here.

Yup, it's a bug. However, we can't fix it. It's up to Apple. As long as you reported it via the Apple.com feedback link, you've done all you can do.

chris v · Dec 12, 2003, 08:27 PM

Originally posted by Arkham_c:
Yup, it's a bug. However, we can't fix it. It's up to Apple. As long as you reported it via the Apple.com feedback link, you've done all you can do.

Well, if I raise a little hell here too, maybe some more people will post bug reports, and someone more knowledgeable than me will able to be more specific about the cause of the bug, thus making it more plain to those employed by Apple for the sake of fixing this sort of stuff.

Plus, maybe Steve Jobs is bored and sufing the fora this evening.

Also, spreading awareness is part of the game here, no? I got lucky, and my kid decided to be honest. Other kids might not be so forthcoming with their admin dads.

CV

kcmac · Dec 12, 2003, 11:07 PM

I still don't get how it is a bug. Sherlock accesses the internet to go to stocktracker, thesaurus, etc. It has to get there somehow does it not? IE, Safari, whatever?

iTunes goes to the internet via Safari (in the background) to get to the music store.

It seems logical to me that any app that accesses the internet would have to be turned off if you don't want her on the internet. You can't really be half pregnant. You're either on or off.

Personally, we decided to keep our computer in the kitchen so the kids aren't tempted to go to any crazy sites. The internet is a fantastic learning tool and I can't imagine not letting our kids use it. We are constantly looking up new things as they interest us. Kids can see some pretty wild stuff on the TV if you don't pay attention. Wouldn't think of giving them a TV in their bedroom hooked to cable either.

CharlesS · Dec 12, 2003, 11:19 PM

Originally posted by kcmac:
I still don't get how it is a bug. Sherlock accesses the internet to go to stocktracker, thesaurus, etc. It has to get there somehow does it not? IE, Safari, whatever?

No, Sherlock uses WebKit to get to those sites. It doesn't need Safari or IE at all - you could delete them from the hard disk entirely and Sherlock would still work. And for some of the plug-ins that don't need to render HTML, not even WebKit is needed for those.

As you may have noticed, Sherlock works when Safari is not running, and it doesn't have to launch it to do its thing.

And what about curl? You could use it to download a raw HTML page from a web site. Do you think that curl has to go through Safari or IE to get to the Internet to do that?

iTunes goes to the internet via Safari (in the background) to get to the music store.

Uh, no it doesn't.

It seems logical to me that any app that accesses the internet would have to be turned off if you don't want her on the internet. You can't really be half pregnant. You're either on or off.

No, the Internet is composed of many different protocols, including HTTP, FTP, mail, Usenet, etc. You can easily have one of these without the rest - she won't be able to browse the Web with an e-mail program.

chris v · Dec 12, 2003, 11:25 PM

Services appear to be a separate hole with the same consequenses. Changing default browser and mail app preferences to Text Edit or whatever (I tried Calculator) does not stop services from opening Mail. Safari doesn't appear in the Services menu, but just out of curiosity, I disabled Omniweb on another account on my computer, and was able to launch it by passing off a URL with Services, despite the default browser being set as Calculator.app.

Shoddy.

Yes, I also mailed the [email protected].

CV

barbarian · Dec 13, 2003, 04:32 AM

Why not just have your daughter have access to her home folder only. Create a separate applications folder in there with only the apps you want them to have.

--
Another alternative set up her network preferences so that all internet access is turned off.

--
Obviously it's a bug if you've restricted an app and it's launchable via other means, but I don't understand the anger. It's a bug the happen. If enough people are bothered by this and send polite feedback, it will be fixed.

--
none of my business, but as an aside, no internet or email for an 11 year old seems pretty harsh... especially an 11 year old responsible enough to tell her dad that she can accidentally access the internet via sherlock.

doubtingtom · Dec 13, 2003, 04:54 AM

At Ease? Oh, come on. To crack At Ease all you had to do was make a text edit file and save it as the At Ease Pref file and the whole thing would crash and you could reboot into the normal system. It maybe took 5 minutes including reboot.

chris v is right (and doesn't appear to angry to me). Sure there are workarounds: Permissions, deleting programs, yadda yadda, but the point is you should be able to set limitations without having to worry about glaring back (dare I say, side) doors or unix workarounds.

I don't even use this, but I tried it out, and now I'm going to report it, because some day I will want this feature, and I don't want to go through (now with 10.3 getting rid of the internet pref pane) individual apps and set default browsers to a text editor, only to have to redo the steps when I want to relinquish the restriction.

Boondoggle · Dec 13, 2003, 08:20 AM

As I posted above I've had this exact problem myself with managing limited users. I have an account for a 12 y/o girl as well as one for her 6 y/o sister.

Another glaring problem with managed users has cropped up. When create a list of allowed apps for the 6yo she no longer can mount .dmg's, even though the only app that is apparently doing any mounting it is the Finder which she of course is allowed to use. .dmg's are great for kids who might otherwise be a little rough on CD's, CD trays etc. and this flaw has caused me even more grief in setting things up for these kids.

chris v · Dec 13, 2003, 11:40 AM

Originally posted by barbarian:
Why not just have your daughter have access to her home folder only. Create a separate applications folder in there with only the apps you want them to have.

--
Another alternative set up her network preferences so that all internet access is turned off.

--
Obviously it's a bug if you've restricted an app and it's launchable via other means, but I don't understand the anger. It's a bug the happen. If enough people are bothered by this and send polite feedback, it will be fixed.

--
none of my business, but as an aside, no internet or email for an 11 year old seems pretty harsh... especially an 11 year old responsible enough to tell her dad that she can accidentally access the internet via sherlock.

I think you mistake irritation for anger. OS X has a feature by which you can supposedly restrict apps on a per user basis. It doesn't work. This irritates me as a customer. Otherwise, I love OS X. Do a search for my name here in the OS X forum. I've been fighting the good fight since 10.1. I'm not Apple-bashing-- I'm discussing a bug.

There are work-arounds, and I have implemented them, thanks to suggestions made here in this thread. I'm grateful for the advice, as always. Do another search for "chris v" and "thanks!" You'll see that 90% of what I do know about OS X, I learned here.

I know it sounds draconian, but my daughter has been grounded from the internet for reasons I have already gone into above. I'm the parent, not you. I still want to be able to network the machines in the house, so that she can print, and I thought restricting apps would be the way to do this, plus there are useful net features on her computer, chat, browsers and email aside, that I wanted her to still be able to take advantage of. I'm trying to avoid just pulling the cord.

Believe it or not, I also see the pointing-out of bugs as actually helpful to Apple and all their customers, since it's an avenue towards having them fixed, and we all learn something that may be important to us collectively and individually. This is actually an extension of that "Good fight�" I mentioned above. My feedback is always very detailed and polite-- even cheerful most of the time.

CV

chaldean oracle · Dec 13, 2003, 12:29 PM

Originally posted by Boondoggle:
When create a list of allowed apps for the 6yo she no longer can mount .dmg's, even though the only app that is apparently doing any mounting it is the Finder which she of course is allowed to use.

file:///System/Library/CoreServices/DiskImageMounter.app

CharlesS · Dec 13, 2003, 12:53 PM

Originally posted by doubtingtom:
At Ease? Oh, come on. To crack At Ease all you had to do was make a text edit file and save it as the At Ease Pref file and the whole thing would crash and you could reboot into the normal system. It maybe took 5 minutes including reboot.

Or, you could use this simple little AppleScript, which you could send from a HyperCard stack:

Code:
tell application "At Ease"
    quit
end tell

and get right to the Finder. Great security, huh?

chris v · Dec 19, 2003, 08:31 AM

Okay, I got a reply from the cocoa developers address. "Thank you for the email. This has been submitted into the bug tracking system; the bug number is 3509345."

I have officially arrived at utter geekdom.

But it gets worse. Launch Real One Player. Go View>Real One Home. Presto, Explorer, even with Text Edit set as the default browser.

Yes, the 11-year-old found this one, too. She's beginning to take a little pride in her "hacking" abilites, and had a prritty big grin on her face when shecame in the room. "Hey! I found another hole!" Ms. junior utter geekdom.

CV

weezie · Dec 19, 2003, 06:50 PM

Another glaring problem with managed users has cropped up. When create a list of allowed apps for the 6yo she no longer can mount .dmg's, even though the only app that is apparently doing any mounting it is the Finder which she of course is allowed to use.

This one hit me as well. I ended up using the 10.2 version of disk copy that I still had on a backup. I mapped all .dmg's for that user to open using it. I agree that multiple users needs A LOT more work.

Not being a unix user at all, I'm still dumbfounded that I can't create a shared folder that has permissions for everyone to read and write AND applies those permissions to any file that is then put into that folder after the permissions are set. This is frustrating as hell.

A unix friend of mine said something about "umask," but like I said, I just want to point, click, and drag to share files with my wife. I don't want to type arcane black magic into a terminal so she can edit and save a word doc or photo that I put into a folder called "shared." (I know I can put a file into the public drop box in her user account, but then it isn't really "shared" anymore because I can't get at it.)

King Bob On The Cob · Dec 20, 2003, 02:41 AM

That is what folder actions are for...
Don't ask me how to set it up but I'm sure someone could tell you.

yukon · Dec 20, 2003, 01:16 PM

btw/fyi, XP has the same general problem. a locked down workstation, if you can access the Help documentation/application (and you can, it's on the start menu), you can search it for certain things and find helpful links that will "help me open my web browser". i used it to get command.com for legitimate reasons (qwerty fools...)

Spliffdaddy · Dec 20, 2003, 04:36 PM

Xp can be 'locked down' quite adequately. If it isn't, it's the fault of the system administrator. We have XP machines at our workplace that have nothing available except the ONE needed application. There is nothing on the 'Start Menu' except Log off.

ryaxnb · Dec 21, 2003, 06:22 PM

Originally posted by weezie:
This one hit me as well. I ended up using the 10.2 version of disk copy that I still had on a backup. I mapped all .dmg's for that user to open using it. I agree that multiple users needs A LOT more work.

For those who don't have Disk Copy, try the Mount App. http://www.versiontracker.com/dyn/moreinfo/macosx/18669
Also, it's not the Finder that does the mounting. It's the DiskImageMounter app. It's located in Macintosh HD:System:Library:CoreServices (Type this into Go To Folder: /System/Library/CoreServices,) and you can grant access to that app as well.

diamondsw · Dec 29, 2003, 06:47 PM

Originally posted by CharlesS:
Or, you could use this simple little AppleScript, which you could send from a HyperCard stack:

Code:
tell application "At Ease" quit end tell

and get right to the Finder. Great security, huh?

I'm not saying port At Ease, I'm more saying move "restricted" users to a separate program entirely. As a completely separate application with its own management of access to the system, it would probably work better than shoehorning this into the Finder, which has a lot of innate power that's going to be difficult to completely hide.

A couple nitpicky points:

1) As for saving files over the prefs file, it was easy to restrict access to folders - they would NOT have access to the System Folder, quite obviously.
2) Under classic OS's, how are they going to execute a "quit" Applescript in the first place? No terminal available, no Script Editor allowed to the user. Hypercard was far from common in those later days. But again, why would I have allowed such programs in the first place?
3) When quit, At Ease relaunched - it did NOT drop back into the Finder.

I used this to set up internet kiosks - telnet/SSH and Netscape (version 3, way back then). The only addition I needed was a background program that quit any open program with no windows (so users wouldn't end up on a blank desktop). Worked great for many years.

qnxde · Dec 29, 2003, 11:29 PM

Smack the shit out of your children! They deserve it! (and God says it's okay)

chris v · Dec 30, 2003, 12:27 AM

Originally posted by qnxde:
Smack the sh[i ][ /i]it out of your children! They deserve it! (and God says it's okay)

Like how you got that past the board filters. Verrry snnneaky. Good thing you're not going to be a parent, though.

I am, however, tempted to take the d@mn iMac to work and put it on my desk.

CV

K++ · Dec 30, 2003, 12:41 AM

Accounts prefs lies, it does not actually work. Use the unix security model to do your work since everything Apple did can be bypassed by everything else Apple and developers have done.

One Thing I have submitted several times is that AppleScript can overcome all forms of security outside of permissions.

To truly secure applications on your machine, Get Info on the application, click the triangle next to preferences, and give "no access" to everyone, this will keep everyone not in the admin or system groups from launching that application at all.

In short, trust the unix permissions, since everything above that can be circumvented.